Those data points come from software that monitors students’ every mouse click, every keystroke, every split-second hesitation as children work through digital textbooks, as Politico describes it.

In fact, Knewton is able to not only find out what individual students know, but how they think – including which kids will have trouble focusing on science before lunch and those who’ll struggle with fractions next week, the news outlet reports.

It’s impressive analysis based on breathtakingly thorough data mining. But as it turns out, this type of education-related technology often comes with a scandalous disregard for its subjects’ privacy.

Indeed, parents should be asking what privacy policies, exactly, are protecting their kids’ personal information?

Politico recently examined hundreds of pages of privacy policies for education software such as Knewton to ascertain how children’s privacy is being handled in this lucrative world of education-related technology.

If you’ve been reading related studies and keeping up with news such as that of Google getting sued for data-mining students through its Google Apps for Education (and subsequently giving up on that data-mining), you won’t be surprised to hear that there’s not much out there to protect kids’ privacy.

As it is, a December 2013 Fordham University School of Law study found that although 95% of US school districts rely on cloud services, those cloud services are opaque, poorly understood and weakly governed.

Parents are mostly kept in the dark about cloud storage of their children’s data, Fordham found, with only 25% of districts informing parents that they use cloud services.

Many districts don’t even have privacy policies, which is just one sign of what the study’s authors called “rampant gaps” in contract documentation in a “sizable plurality” of districts.

From the report:

Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for student information disclosures, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.

This is all in spite of FERPA, the Family Educational Rights and Privacy Act, which gives parents some control over the disclosure of information from students’ records and which generally requires districts to have direct control of student information when disclosed to third-party service providers.

(On the flip side, FERPA also gives school districts the rights to share student data with private companies if it furthers educational goals.)

Beyond these issues, the study also found an “overwhelming majority” of cloud service contracts don’t even address parental notice, consent, or access to student information.

From the report:

Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor, which contradicts laws that require parental notice, consent, and access to student information.

Neither, generally, do agreements between districts and cloud service providers account for data security.

In fact, they frequently allow vendors to retain student information in perpetuity, in spite of the fact that, as the report points out, “basic norms of information privacy require data security.”

As Politico reports, both Republicans and Democrats are all for this practice of private-sector data mining, even as legislators attempt to rein in NSA surveillance.

The Obama administration has even encouraged the practice by relaxing federal privacy law so that school districts can share student data more widely, Politico reports.

Resistance to this free-for-all plundering of children’s data has been mounting, however.

Prohibit the use of students’ personally identifiable information to advertise or market a product or service;

Give parents the right to access personal information about their children held by private companies and amend it if it’s wrong;

Make transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with who the school contracts;

Minimize the amount of personally identifiable information (PII) transferred from schools to private companies; and

Ensure private companies can’t maintain dossiers on students in perpetuity by requiring the companies to at some point delete PII.

As well, in addition to the court action against Google’s data-mining in Google Apps for Education, the past year has seen ferocious pushback from parents against cloud storage of their children’s PII.

InBloom, a cloud storage service provider that was offering to house and manage student data for public school districts across the US by extracting a dizzying array of information – some 400 data fields – from disparate school databases and new, optional, sometimes intrusive fields, closed up shop in April as a result of that pushback.

But what evil, exactly, have ed-tech companies done with kids’ data?

As Politico notes, there haven’t been big data breaches in K-12 education in the US, although there have certainly been plenty at university level.

Still, problems are rife. One company the news outlet examined notes in passing that confidential student data should be shared “very carefully”, but it offers no guidelines.

When Politico inquired about another company’s privacy policy – a policy that gave the company the right to use students’ PII in order to send them targeted advertising – the policy was speedily rewritten and reposted, with a brand-new emphasis on protecting privacy and minus a line about the targeted ads.

We haven’t yet seen the most intrusive technologies. As Reuters reported at the time, the Bill & Melinda Gates Foundation in 2012 funded a $1.4 million research project to outfit middle-school students with biometric sensors designed to detect how they responded on a subconscious level to each minute of each lesson.

At the end of the day, we’re left with many serious questions, the most basic of which is this: Are these technologies helping children to the extent that they warrant their obtrusiveness?

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

5 comments on “Education data mining puts kids’ privacy at risk”

I think something needs to happen, first. As it stands, if I’m an advertiser directing ads at children, what benefit is it to me to know that little Timmy hates math versus not knowing anything about little Timmy? Is that a bad thing? Data isn’t evil. It’s what you do with it that is. What are they going to do with it?

I love today’s technology. I do. But at what price? I try and limit what information I put out into the cloud, but with every keystroke, I know that I’m sending information out into the cloud to be mined. What privacy (if any) will the next generation have at all? Maybe they’ll be used to it by the time they grow up, but articles like this just make me shiver.

First, the algorithmic assumptions that data providers make in determining how to easily and quickly display thousands of points of data in a simple way – to make them actionable – is questionable. At some level, a developer had to produce an algorithm, for instance, that “find[s] out what individual students know… [and] how they think…”.

The danger in this is that we have only a few means to capture “what students know” (e.g., a keyboard and mouse, or a single biometric) and that those data are then once again simplified to create a stereotyped view of a student “who doesn’t like to learn science before lunch”.

Put another way, the danger here is that the diagnostic tool is poorly created and leads to inappropriate interventions — or interventions that raise a test metric within a software environment, but that do not actually produce deeper, more robust understanding.

Second, these assumptions are themselves dangerous in the aggregate, on an individual basis, when shared with actors that use the data to make meaningful decisions. For example, educators may make decisions about tracking based solely upon the data of these environments, when a student could be quite capable in ways not observed by a computer (but observable in other contexts); OR, for that matter, in a hypothetical case, a student loan agency could determine loan eligibility or rates based upon past performance.

These detriments – data-driven discrimination, as I term it – are the ethical grey areas not so evident as a data breech, but potentially much more impactful in the long term.

I do appreciate your article and believe it brings important points to light. To take things a step further, what else can or should we know, or can or should we consider, as educators ourselves, to be better informed? Your article is a fine start. What next?